v0.9 - Use batch checks in middleware, add Minimal API extensions (#9)

.nuke/build.schema.json

@@ -40,7 +40,8 @@
         },
         "NugetApiKey": {
           "type": "string",
-          "description": "Nuget Api Key"
+          "description": "Nuget Api Key",
+          "default": "Secrets must be entered via 'nuke :secrets [profile]'"
         },
         "Partition": {
           "type": "string",
@@ -71,7 +72,8 @@
               "Compile",
               "NugetPack",
               "NugetPush",
-              "Restore"
+              "Restore",
+              "Test"
             ]
           }
         },
@@ -89,7 +91,8 @@
               "Compile",
               "NugetPack",
               "NugetPush",
-              "Restore"
+              "Restore",
+              "Test"
             ]
           }
         },

README.md

@@ -73,7 +73,7 @@ builder.Services.AddAuthorization(options =>
 });
 ```
 
-### Built-in Attributes
+### Built-in Check Attributes
 
 `Fga.Net.AspNetCore` ships with a number of attributes that should cover the most common authorization sources for FGA checks:
 
@@ -82,7 +82,18 @@ builder.Services.AddAuthorization(options =>
 - `FgaQueryObjectAttribute` - Computes the Object via a value in the query string
 - `FgaRouteObjectAttribute` - Computes the Object via a value in the routes path
 
-These attributes can be used in both minimal APIs & in your controller(s):
+If you want to use these attributes, you need to configure how the user's identity is resolved from the `ClaimsPrincipal`.
+The example below uses the Name, which is mapped to the User ID in a default Auth0 integration.
+
+```cs
+builder.Services.AddOpenFgaMiddleware(config =>
+{
+    //DSL v1.1 requires the user type to be included
+    config.UserIdentityResolver = principal => $"user:{principal.Identity!.Name!}";
+});
+```
+
+These attributes can then be used in both minimal APIs & in your controller(s):
 ```cs
     // Traditional Controllers
     [ApiController]
@@ -101,19 +112,10 @@ These attributes can be used in both minimal APIs & in your controller(s):
     // Minimal APIs
     app.MapGet("/viewminimal/{documentId}", (string documentId) => Task.FromResult(documentId))
         .RequireAuthorization(FgaAuthorizationDefaults.PolicyKey)
-        .WithMetadata(new FgaRouteObjectAttribute("read", "document", "documentId"));
-```
-
-
-If you want to use the built-in attributes, you need to configure how the user's identity is resolved from the `ClaimsPrincipal`.
-The example below uses the Name, which should be suitable for most people (given the claim is mapped correctly).
-
-```cs
-builder.Services.AddOpenFgaMiddleware(config =>
-{
-    //DSL v1.1 requires the user type to be included
-    config.UserIdentityResolver = principal => $"user:{principal.Identity!.Name!}";
-});
+        // Extensions methods are included for the built-in attributes
+        .WithFgaRouteCheck("read", "document", "documentId")
+        // You can apply custom attributes like so
+        .WithMetadata(new ComputedRelationshipAttribute("document", "documentId"));
 ```
 
 ### Custom Attributes
@@ -123,19 +125,17 @@ To do this, inherit from either `FgaBaseObjectAttribute`, which uses the configu
 
 For example, an equivalent to the [How To Integrate Within A Framework](https://docs.fga.dev/integration/framework) tutorial would be:
 ```cs
-public class ComputedRelationshipAttribute : FgaAttribute
+public class ComputedRelationshipAttribute : FgaBaseObjectAttribute
 {
     private readonly string _prefix;
     private readonly string _routeValue;
-    public EntityAuthorizationAttribute(string prefix, string routeValue)
+
+    public ComputedRelationshipAttribute(string prefix, string routeValue)
     {
         _prefix = prefix;
         _routeValue = routeValue;
     }
-
-    public override ValueTask<string> GetUser(HttpContext context) 
-        => ValueTask.FromResult(context.User.Identity!.Name!);
-
+
     public override ValueTask<string> GetRelation(HttpContext context) 
         => ValueTask.FromResult(context.Request.Method switch 
         {

samples/Fga.Example.AspNetCore/ComputedRelationshipAttribute.cs

@@ -3,7 +3,7 @@
 namespace Fga.Example.AspNetCore;
 
 //Computes the relationship based on the requests HTTP method.
-public class ComputedRelationshipAttribute : FgaAttribute
+public class ComputedRelationshipAttribute : FgaBaseObjectAttribute
 {
     private readonly string _type;
     private readonly string _routeValue;
@@ -13,9 +13,6 @@ public ComputedRelationshipAttribute(string type, string routeValue)
         _routeValue = routeValue;
     }
 
-    public override ValueTask<string> GetUser(HttpContext context) 
-        => ValueTask.FromResult(context.User.Identity!.Name!);
-
     public override ValueTask<string> GetRelation(HttpContext context) 
         => ValueTask.FromResult(context.Request.Method switch 
         {

samples/Fga.Example.AspNetCore/Program.cs

@@ -48,7 +48,7 @@
 
 builder.Services.AddOpenFgaMiddleware(middlewareConfig =>
 {
-    middlewareConfig.UserIdentityResolver = principal => principal.Identity!.Name!;
+    middlewareConfig.UserIdentityResolver = principal => $"user:{principal.Identity!.Name!}";
 });
 
 builder.Services.AddAuthorization(options =>
@@ -75,6 +75,6 @@
 
 app.MapGet("/viewminimal/{documentId}", (string documentId) => Task.FromResult(documentId))
     .RequireAuthorization(FgaAuthorizationDefaults.PolicyKey)
-    .WithMetadata(new FgaRouteObjectAttribute("viewer", "doc", "documentId"));
+    .WithFgaRouteCheck("reader", "document", "documentId");
 
 app.Run();

samples/Fga.Example.AspNetCore/appsettings.Development.json

@@ -1,7 +1,7 @@
 {
   "Logging": {
     "LogLevel": {
-      "Default": "Information",
+      "Default": "Debug",
       "Microsoft.AspNetCore": "Debug"
     }
   }

src/Fga.Net.AspNetCore/Authorization/Attributes/FgaRouteObjectAttribute.cs

@@ -18,7 +18,7 @@ public class FgaRouteObjectAttribute : FgaBaseObjectAttribute
     /// </summary>
     /// <param name="relation">The relationship to check, such as writer or viewer</param>
     /// <param name="type">The relation between the user and object</param>
-    /// <param name="routeKey">The query key to get the value from. Will throw an exception if not present.</param>
+    /// <param name="routeKey">The route key to get the value from. Will throw an exception if not present.</param>
     public FgaRouteObjectAttribute(string relation, string type, string routeKey)
     {
         _relation = relation;

src/Fga.Net.AspNetCore/Authorization/FgaCheckDecorator.cs

@@ -27,19 +27,20 @@ public FgaCheckDecorator(OpenFgaClient auth0FgaApi)
     /// <param name="request"></param>
     /// <param name="ct"></param>
     /// <returns></returns>
-    public virtual Task<CheckResponse> Check(ClientCheckRequest request, CancellationToken ct) => _auth0FgaApi.Check(request, cancellationToken: ct);
+    public virtual Task<BatchCheckResponse> BatchCheck(List<ClientCheckRequest> request, CancellationToken ct) => _auth0FgaApi.BatchCheck(request, cancellationToken: ct);
 }
 
 /// <summary>
 /// Temporary wrapper to allow for easier testing of middleware. Don't take a dependency on this.
 /// </summary>
 public interface IFgaCheckDecorator
 {
+
     /// <summary>
     /// 
     /// </summary>
     /// <param name="request"></param>
     /// <param name="ct"></param>
     /// <returns></returns>
-    Task<CheckResponse> Check(ClientCheckRequest request, CancellationToken ct);
+    Task<BatchCheckResponse> BatchCheck(List<ClientCheckRequest> request, CancellationToken ct);
 }

src/Fga.Net.AspNetCore/Authorization/FineGrainedAuthorizationHandler.cs

@@ -46,6 +46,9 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
             // The user is enforcing the fga policy but there's no attributes here.
             if (attributes.Count == 0)
                 return;
+
+            var checks = new List<ClientCheckRequest>();
+
             foreach (var attribute in attributes)
             {
                 string? user;
@@ -69,22 +72,38 @@ protected override async Task HandleRequirementAsync(AuthorizationHandlerContext
                     _logger.NullValuesReturned(user, relation, @object);
                     return;
                 }
-
 
-                var result = await _client.Check(new ClientCheckRequest()
+                checks.Add(new ClientCheckRequest
                 {
                     User = user,
                     Relation = relation,
                     Object = @object
-                }, httpContext.RequestAborted);
+                });
+            }
+
+            var results = await _client.BatchCheck(checks, httpContext.RequestAborted);
 
-                if (result.Allowed is false)
+            var failedChecks = results.Responses.Where(x=> x.Allowed is false).ToArray();
+
+            // log all of reasons for the failed checks
+            if (failedChecks.Length > 0)
+            {
+                foreach (var response in failedChecks)
                 {
-                    _logger.CheckFailureDebug(user, relation, @object);
-                    return;
+                    if (response.Error is not null)
+                    {
+                        _logger.CheckException(response.Request.User, response.Request.Relation, response.Request.Object, response.Error);
+                    }
+                    else if (response.Allowed is false)
+                    {
+                        _logger.CheckFailure(response.Request.User, response.Request.Relation, response.Request.Object);
+                    }
                 }
             }
-            context.Succeed(requirement);
+            else
+            {
+                context.Succeed(requirement);
+            }
         }
     }
 }

src/Fga.Net.AspNetCore/Authorization/Log.cs

@@ -23,12 +23,16 @@ namespace Fga.Net.AspNetCore.Authorization;
 
 internal static partial class Log
 {
-    [LoggerMessage(0, LogLevel.Debug, "FGA Check failed for User: {user}, Relation: {relation}, Object: {object}")]
-    public static partial void CheckFailureDebug(this ILogger logger, string user, string relation, string @object);
+    [LoggerMessage(3001, LogLevel.Debug, "FGA Check failed for User: {user}, Relation: {relation}, Object: {object}")]
+    public static partial void CheckFailure(this ILogger logger, string user, string relation, string @object);
 
-    [LoggerMessage(1, LogLevel.Debug, "FGA Attribute returned null value(s), User: {user}, Relation: {relation}, Object: {object}")]
+    [LoggerMessage(3002, LogLevel.Debug, "FGA Attribute returned null value(s), User: {user}, Relation: {relation}, Object: {object}")]
     public static partial void NullValuesReturned(this ILogger logger, string? user, string? relation, string? @object);
 
-    [LoggerMessage(2, LogLevel.Information, "Unable to compute FGA Object.")]
+    [LoggerMessage(3003, LogLevel.Information, "Unable to compute FGA Object.")]
     public static partial void MiddlewareException(this ILogger logger, FgaMiddlewareException ex);
+
+    [LoggerMessage(3004, LogLevel.Warning, "Error occurred whilst attempting to perform middleware check for User: {user}, Relation: {relation}, Object: {object}")]
+    public static partial void CheckException(this ILogger logger, string user, string relation, string @object, Exception ex);
+
 }

src/Fga.Net.AspNetCore/Authorization/MinimalApiExtensions.cs

@@ -0,0 +1,62 @@
+using Fga.Net.AspNetCore.Authorization.Attributes;
+using Microsoft.AspNetCore.Builder;
+
+namespace Fga.Net.AspNetCore.Authorization;
+
+/// <summary>
+/// Fga extensions for use with Minimal APIs
+/// </summary>
+public static class MinimalApiExtensions
+{
+    /// <summary>
+    /// <inheritdoc cref="FgaHeaderObjectAttribute"/>
+    /// </summary>
+    /// <param name="builder">The <see cref="T:Microsoft.AspNetCore.Builder.IEndpointConventionBuilder"/>.</param>
+    /// <param name="relation">The relationship to check, such as writer or viewer</param>
+    /// <param name="type">The relation between the user and object</param>
+    /// <param name="headerKey">The header to get the value from. Will throw an exception if not present.</param>
+    /// <returns>The <see cref="T:Microsoft.AspNetCore.Builder.IEndpointConventionBuilder" />.</returns>
+    public static TBuilder WithFgaHeaderCheck<TBuilder>(this TBuilder builder, string relation, string type, string headerKey) where TBuilder : IEndpointConventionBuilder
+    {
+        return builder.WithMetadata(new FgaHeaderObjectAttribute(relation, type, headerKey));
+    }
+
+    /// <summary>
+    /// <inheritdoc cref="FgaPropertyObjectAttribute"/>
+    /// </summary>
+    /// <param name="builder">The <see cref="T:Microsoft.AspNetCore.Builder.IEndpointConventionBuilder"/>.</param>
+    /// <param name="relation">The relationship to check, such as writer or viewer</param>
+    /// <param name="type">The relation between the user and object</param>
+    /// <param name="property">The JSON property to get the value from. Must be a string or number. Will throw an exception if not present.</param>
+    /// <returns>The <see cref="T:Microsoft.AspNetCore.Builder.IEndpointConventionBuilder" />.</returns>
+    public static TBuilder WithFgaPropertyCheck<TBuilder>(this TBuilder builder, string relation, string type, string property) where TBuilder : IEndpointConventionBuilder
+    {
+        return builder.WithMetadata(new FgaPropertyObjectAttribute(relation, type, property));
+    }
+
+    /// <summary>
+    /// <inheritdoc cref="FgaQueryObjectAttribute"/>
+    /// </summary>
+    /// <param name="builder">The <see cref="T:Microsoft.AspNetCore.Builder.IEndpointConventionBuilder"/>.</param>
+    /// <param name="relation">The relationship to check, such as writer or viewer</param>
+    /// <param name="type">The relation between the user and object</param>
+    /// <param name="queryKey">The query key to get the value from. Will throw an exception if not present.</param>
+    /// <returns>The <see cref="T:Microsoft.AspNetCore.Builder.IEndpointConventionBuilder" />.</returns>
+    public static TBuilder WithFgaQueryCheck<TBuilder>(this TBuilder builder, string relation, string type, string queryKey) where TBuilder : IEndpointConventionBuilder
+    {
+        return builder.WithMetadata(new FgaQueryObjectAttribute(relation, type, queryKey));
+    }
+
+    /// <summary>
+    /// <inheritdoc cref="FgaRouteObjectAttribute"/>
+    /// </summary>
+    /// <param name="builder">The <see cref="T:Microsoft.AspNetCore.Builder.IEndpointConventionBuilder"/>.</param>
+    /// <param name="relation">The relationship to check, such as writer or viewer</param>
+    /// <param name="type">The relation between the user and object</param>
+    /// <param name="routeKey">The route key to get the value from. Will throw an exception if not present.</param>
+    /// <returns>The <see cref="T:Microsoft.AspNetCore.Builder.IEndpointConventionBuilder" />.</returns>
+    public static TBuilder WithFgaRouteCheck<TBuilder>(this TBuilder builder, string relation, string type, string routeKey) where TBuilder : IEndpointConventionBuilder
+    {
+        return builder.WithMetadata(new FgaRouteObjectAttribute(relation, type, routeKey));
+    }
+}

src/Fga.Net/Fga.Net.DependencyInjection.csproj

@@ -14,7 +14,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Http" Version="6.0.0" />
     <PackageReference Include="DotNet.ReproducibleBuilds" Version="1.1.1" PrivateAssets="All" />
-    <PackageReference Include="OpenFga.Sdk" Version="0.2.2" />
+    <PackageReference Include="OpenFga.Sdk" Version="0.2.3" />
   </ItemGroup>
 
   <Import Project="../../Package.Build.props" />

tests/Fga.Net.Tests/Client/EndpointTests.cs

@@ -74,7 +74,7 @@ private async Task GetEndpoints_OpenFgaClient_Return_200()
             Assert.NotNull(modelsResponse);
             Assert.NotNull(modelsResponse.AuthorizationModels);
             Assert.True(modelsResponse.AuthorizationModels?.Count > 0);
-
+            
             var modelId = modelsResponse.AuthorizationModels?.First().Id!;
 
             var modelResponse = await client.ReadAuthorizationModel(new ClientReadAuthorizationModelOptions() {AuthorizationModelId = modelId});
@@ -103,12 +103,7 @@ private async Task GetEndpoints_OpenFgaClient_Return_200()
 
             var watch = await client.ReadChanges(new ClientReadChangesRequest() {Type = "document"});
             Assert.NotNull(watch);
-
-
         }
 
-
-
-
     }
 }

tests/Fga.Net.Tests/Middleware/WebAppFixture.cs

@@ -1,4 +1,6 @@
-using System.Threading;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
 using System.Threading.Tasks;
 using Alba;
 using Fga.Net.AspNetCore.Authorization;
@@ -20,12 +22,16 @@ public async Task InitializeAsync()
         var authorizationClientMock = new Mock<IFgaCheckDecorator>();
 
         authorizationClientMock.Setup(c =>
-            c.Check(It.IsAny<ClientCheckRequest>(),
-                It.IsAny<CancellationToken>()))
-            .ReturnsAsync((ClientCheckRequest res, CancellationToken _) => 
-                res.User == MockJwtConfiguration.DefaultUser 
-                    ? new CheckResponse() { Allowed = true } 
-                    : new CheckResponse() { Allowed = false });
+                c.BatchCheck(It.IsAny<List<ClientCheckRequest>>(),
+                    It.IsAny<CancellationToken>()))
+            .ReturnsAsync((List<ClientCheckRequest> res, CancellationToken _) =>
+            {
+                var entry = res.First();
+                return entry.User == MockJwtConfiguration.DefaultUser
+                    ? new BatchCheckResponse() { Responses = new List<BatchCheckSingleResponse>() { new(true, entry) } }
+                    : new BatchCheckResponse() { Responses = new List<BatchCheckSingleResponse>() { new(false, entry) } };
+            });
+
 
 
         AlbaHost = await Alba.AlbaHost.For<Program>(builder =>